Description
OS Command Injection vulnerability in Rapid7 InsightConnect SQLmap Plugin on Linux allows authenticated attackers to execute arbitrary OS commands via the api_host or api_port parameters during connection configuration due to insufficient input validation.
Published: 2026-06-25
Score: 6 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An OS Command Injection flaw in Rapid7 InsightConnect SQLmap Plugin on Linux lets an attacker with authentication to the plugin run arbitrary operating system commands through the api_host or api_port parameters during connection setup. The weakness stems from insufficient input validation and is classified as CWE‑78. Successful exploitation would grant the attacker full control over the affected system, compromising confidentiality, integrity, and availability (C, I, and A) for the targeted environment.

Affected Systems

The vulnerability affects Rapid7 InsightConnect SQLmap Plugin. No specific versions are listed in the advisory, so all installations of this plugin on Linux should be considered potentially vulnerable until a patch is applied.

Risk and Exploitability

The CVSS score of 6 indicates a moderate severity level, while the EPSS score is not available and the issue is not listed in the CISA KEV catalog. Attackers need valid credentials to the InsightConnect service and access to the plugin’s API to supply the vulnerable parameters. Because the plugin accepts these inputs without proper validation, the attack path is straightforward; an authenticated user can trigger arbitrary command execution, making the risk significant for organizations that run the plugin without additional safeguards.

Generated by OpenCVE AI on June 25, 2026 at 02:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Rapid7 InsightConnect SQLmap Plugin to the latest released version that contains the fix.
  • Restrict InsightConnect API access to trusted users only and enforce least privilege; consider disabling the plugin or the SQLmap feature until the patch is applied.
  • Monitor and alert on suspicious API calls that include command injection patterns in the api_host or api_port parameters (e.g., containing semicolons, backticks, or shell characters).

Generated by OpenCVE AI on June 25, 2026 at 02:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Description OS Command Injection vulnerability in Rapid7 InsightConnect SQLmap Plugin on Linux allows authenticated attackers to execute arbitrary OS commands via the api_host or api_port parameters during connection configuration due to insufficient input validation.
Title OS Command Injection in Rapid7 InsightConnect SQLmap Plugin
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: rapid7

Published:

Updated: 2026-06-25T00:07:16.768Z

Reserved: 2026-05-15T06:28:55.822Z

Link: CVE-2026-8659

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T02:30:15Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')